> http://jya.com/bxa123096.txt
This stuff is hilarious! Well worth skimming through...
Encryption products, when used outside the United States, can
jeopardize our foreign policy and national security interests.
Moreover, such products, when used by international criminal
organizations, can threaten the safety of U.S. citizens here and
abroad, as well as the safety of the citizens of other countries.
The exportation of encryption products must be controlled to further
U.S. foreign policy objectives, and promote our national security,
including the protection of the safety of U.S. citizens abroad.
(I live in Canada, and I use encryption -- I wasn't aware that I
was jeopardizing U.S. national security)
This interim rule also amends the Export Administration Regulations
by requiring a license for exports and reexports to all destinations,
except Canada, of certain encryption items controlled for EI reasons.
(Cool, it looks like I'm special)
Note that the one-time review is for a determination to release encryption
software in object code only.
(So much for ever being able to export free-software encryption)
Producers would commit to
produce key recovery products. Others would commit to incorporate such
products into their own products or services. Plans will be evaluated
in consideration of good faith efforts by the exporter to promote key
recovery products and infrastructure. Such efforts can include: the
scale of key recovery research and development, product development,
and marketing plans; significant steps to reflect potential customer
demand for key recovery products in the firm's encryption-related
business; and how soon a key recovery agent will be identified.
(ie. if you've got big bucks - you can skirt the regulations a bit)
(now for the best part)
I have determined that the export of encryption products
described in this section may harm national security and foreign
policy interests even where comparable products are or appear to be
available from sources outside the United States, and that facts and
questions concerning the foreign availability of such encryption
products cannot be subject to public disclosure or judicial review
without revealing or implicating classified information that could
harm United States national security and foreign policy interests.
(so basically, revealing the fact that encryption products are already
available outside of the U.S. to a U.S. court would jeopardize
national security, so U.S. courts are not allowed to even consider
this fact)
(we better not mention on our web pages that people can obtain PGP
from outside the U.S., since this obviously has been categorized
as classified information)
2. Notwithstanding any other provision of law, no person is
required to respond to, nor shall any person be subject to a penalty
for failure to comply with a collection of information, subject to the
requirements of the Paperwork Reduction Act (PRA), unless that
collection of information displays a currently valid OMB Control
Number. This rule involves collections of information subject to the
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
(paperwork reduction act? maybe the person that wrote this should
read that...)
4. The provisions of the Administrative Procedure Act (5 U.S.C.
553) requiring notice of proposed rulemaking, the opportunity for
public participation, and a delay in effective date, are inapplicable
because this regulation involves a military and foreign affairs
function of the United States (Sec. 5 U.S.C. 553(a)(1)).
(see - no public participation, land of the free, eh?)
encryption software
controlled for ``EI'' reasons under ECCN 5E002 do not lose their U.S.-
origin when redrawn, used, consulted, or otherwise commingled abroad in
any respect with other software or technology of any other origin.
(commingled?)
Sec. 744.9. Restrictions on technical assistance by U.S. persons with
respect to encryption items.
(a) General prohibition. No U.S. person may, without a license from
BXA, provide technical assistance (including training) to foreign
persons with the intent to aid a foreign person in the development or
manufacture outside the United States of encryption commodities and
software that, if of United States origin, would be controlled for
``EI'' reasons under ECCN 5A002 or 5D002. Note that this prohibition
does not apply if the U.S. person providing the assistance has a
license or is otherwise entitled to export the encryption commodities
and software in question to the foreign person(s) receiving the
assistance. Note in addition that the mere teaching or discussion of
information about cryptography, including, for example, in an academic
setting, by itself would not establish the intent described in this
section, even where foreign persons are present.
(b) Definition of U.S. person. For purposes of this section, the
term U.S. person includes:
(1) Any individual who is a citizen or permanent resident alien of
the United States;
(so teaching is ok, but training isn't, of course)
Encryption object code. Computer programs containing an encryption
source code that has been compiled into a form of code that can be
directly executed by a computer to perform an encryption function.
(hey, maybe distributing encryption source is a-ok! If we do a Debian
package that does the compilation as part of the install process,
we aren't distributign encryption object code, are we?)
There's more - but I think I've read enough. What a stupid law. There's
no way it would stand up in court. It's basically just a recipe for
harassment of people who don't act the way the government wants them
too.
With that in mind, I think the best policy is to just play "fast and
loose" with the rules. I really doubt the government would ever actually
charge someone under these rules without first ordering a "cease
and desist". So don't try to do things to the letter of the law (or
whatever it is), since the letter of the law can change at any time,
depending on the whims of the bureaucrats in charge. Just don't make
yourself a target, and you should be OK.
Cheers,
- Jim
Attachment:
pgpfFjdLg0hRR.pgp
Description: PGP signature